Cybercrime Investigations

Provided below is a brief introduction to cybercrime investigations for officers. We describe the basic steps necessary when conducting the investigation, steps required to identify potential digital evidence, and how to work with different kinds of digital evidence (e.g. mobile devices, social media, IP addresses, etc).

Assess the Situation

As with any investigation, the officer must first determine the specific elements of the crime and whether the laws in their jurisdiction support prosecution. For example, can the charges be sustained even if guilt is proven? Given the many new technologies in use, very often common law, and federal and state statutes have not caught up to the offenses. Another factor to consider when investigating cyber crimes is the global nature of the Internet. It is often beneficial to consult with your prosecutor to gain additional insight into specific crimes.

Conduct the Initial Investigation

When conducting a cybercrime investigation, normal investigative methods are still important. Asking who, what, where, when, why and how questions is still important. The investigator should also still ask the following questions:

  • Who are the potential suspects?
  • What crimes were committed?
  • When were the crimes committed?
  • Were these crime limited to US jurisdiction?
  • What evidence is there to collect?
  • Where might the physical and digital evidence be located?
  • What types of physical and digital evidence were involved with the crime?
  • Does any of the evidence need to be photographed/preserved immediately?
  • How can the evidence be preserved and maintained for court proceedings?

Identify Possible Evidence

Digital evidence can come in many file types and sizes. For example, see Most Common Electronic Devices. Further, the evidence may be encrypted, protected, or otherwise hidden. If your agency does not have the resources, tools, or specific expertise necessary to identify and collect this evidence, consider partnering with other agencies that do have these capabilities. See the Community page for more information.

Secure Devices and Obtain Court Orders

In many cases, investigators may seize electronic devices without a warrant, but must obtain a warrant in order to conduct a search on the device(s). Multiple warrants may need to be obtained if a particular device is connected to multiple crimes.

Warrants should clearly describe all files, data, and electronic devices to be searched as specifically as possible and seek approval to conduct analysis off-site (e.g. at a specialized forensics laboratory).

Subpoenas can also be used to obtain digital evidence. Many Internet- and communication-based companies have guides to assist law enforcement in understanding their information sharing policies (see Handling Evidence from Specific Sources).

Non-disclosure agreement (NDA) are often times needed when law enforcement is requesting information from an Electronic Service Provider (ESP) and they don’t want the ESP to notify the user of someone requesting information from their account.

Court order is required to compel the ESP for information above the basic subscriber information.  This could include but not limited to message headers or IP addresses.  This does not include content.

Analyze Results with Prosecutor

It will also be important to work with the prosecutor to identify the appropriate charges (based on existing common law and state and federal statutes), and to determine what additional information or evidence will be needed prior to filing charges.


IACP Conference